Analysis
-
max time kernel
91s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2024 00:47
Behavioral task
behavioral1
Sample
ba180590786db12ec1080fee2516aca4.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ba180590786db12ec1080fee2516aca4.exe
Resource
win10v2004-20231215-en
General
-
Target
ba180590786db12ec1080fee2516aca4.exe
-
Size
5.3MB
-
MD5
ba180590786db12ec1080fee2516aca4
-
SHA1
5070f71c8f34f303c1677161b7b616f3cea80dd8
-
SHA256
7a90fa5cef6cf8a4ecf36ff8cbeef7f1b40386c08a7b6b51a9c0238df9bec61b
-
SHA512
86c7fe85668a3986050f68343e1634ed258ad9e84a4b486dd280fb3afe9bc8bd3f082b5792b4148edf8bf85e4d4b6d0bd8aca4e23c3dd7143fd2ad38f7f6105e
-
SSDEEP
98304:LAfhnsQ2gdWhgd6H158sipz/vx69i4ukVTvojhlwF2mo6B7d58sipz/vx69i4ukf:Lin7zWa6HX8si9/vx69iquMhDf8si9/W
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2548 ba180590786db12ec1080fee2516aca4.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 ba180590786db12ec1080fee2516aca4.exe -
resource yara_rule behavioral2/memory/4208-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000e00000002315f-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4208 ba180590786db12ec1080fee2516aca4.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4208 ba180590786db12ec1080fee2516aca4.exe 2548 ba180590786db12ec1080fee2516aca4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4208 wrote to memory of 2548 4208 ba180590786db12ec1080fee2516aca4.exe 85 PID 4208 wrote to memory of 2548 4208 ba180590786db12ec1080fee2516aca4.exe 85 PID 4208 wrote to memory of 2548 4208 ba180590786db12ec1080fee2516aca4.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe"C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exeC:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2548
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD57d0e0d3219c4b044d827790dc5dc4265
SHA1d5bec57675727db24b9b7f5f40285de8bba4db46
SHA256f231a3d8326743bb2e2b7a0ebcc081dae4844d9bef43f86f9503f2f76ae711b8
SHA51278923a6aed8212d9d8683d748558e2d02098e9d4a742c464ab9c7db6621401d4256d5edc93a2a5bafe8e9e271d3dcfc79b2fe86254b44eefa61c95cf7acbe501